イランの攻撃者が公開されているPLCを悪用し、米国の重要インフラを標的
目次
A joint advisory published on 7 April 2026 by the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command confirms that Iranian-affiliated APT actors are actively compromising internet-exposed programmable logic controllers across US critical infrastructure. Targeted sectors include water and wastewater systems, energy, government facilities, and local municipalities. Confirmed victims have experienced operational disruption and financial losses.
What the advisory confirms
について CISA advisory AA26-097A documents an active campaign by Iranian-affiliated advanced persistent threat actors targeting internet-facing PLCs — specifically those manufactured by Rockwell Automation/Allen-Bradley, including CompactLogix and Micro850 devices. The advisory notes that other OT vendors may also be at risk, with indicators suggesting possible Siemens PLC targeting.
The attackers gained initial access using overseas IPs and leased infrastructure, leveraging legitimate engineering software — Rockwell’s Studio 5000 Logix Designer — to interact with compromised devices. Command and control activity used ports including 44818 (EtherNet/IP), 502 (Modbus), and 102 (S7). Once inside, actors maliciously interacted with project files and manipulated data displayed on HMI and SCADA systems, causing operational disruption.
The FBI assesses the group’s intent as causing disruptive effects within the United States. The advisory links the escalation to the US-Iran-Israel conflict that began in February 2026, with activity confirmed as far back as March 2026.
This follows a documented pattern
This campaign is not an isolated incident. In November 2023, IRGC-affiliated actors known as CyberAv3ngers — also tracked as Hydro Kitten, Storm-0784, and UNC5691 — compromised at least 75 Unitronics PLC devices across US water and wastewater facilities by exploiting devices with default or no passwords. The Municipal Water Authority of Aliquippa, Pennsylvania was among the confirmed victims. The US sanctioned six IRGC officials in response in February 2024.
In a subsequent 2024 campaign, the same group deployed custom malware called IOControl to remotely control US and Israeli water and fuel management systems. The Rewards for Justice programme subsequently offered up to $10 million for information on the group.
The current activity is attributed to a related but separate Iranian-affiliated APT group. The pattern is consistent: systematic identification of internet-exposed industrial control systems, exploitation of weak or default credentials, and manipulation of operational processes to cause disruption rather than permanent damage — a state-sponsored capability demonstration.
Why traditional security keeps missing this
The compromised PLCs in this campaign were directly reachable from the internet. The attack did not require novel exploitation techniques. Actors used the same engineering tools that OT teams use daily, making malicious activity difficult to distinguish from legitimate operations.
Most organisations approach industrial security from the inside out — segmenting OT networks, monitoring internal traffic, deploying endpoint protection. What they remain blind to is what attackers see first: the external attack surface. An internet-facing PLC is visible to anyone running a scan. Device type, firmware version, and open ports are all discoverable within minutes using tools like Shodan.
As one security researcher noted in response to the advisory, the core problem for defenders is exposure. If PLCs can be accessed from the internet, attackers have an asymmetric advantage — they can probe continuously at scale while defenders are relying on internal monitoring that assumes proper isolation.
That assumption is the gap. Security teams discovered these intrusions only after operational disruptions triggered manual investigations. The attackers had maintained access for weeks by then, mapping internal systems and identifying additional targets.
セキュリティチームによる即時対応
The joint advisory recommends the following actions for any organisation operating internet-connected industrial control systems:
- Remove PLCs from direct internet exposure — place a firewall or network proxy in front of any PLC, and remove remote access that is not routed through properly configured security controls
- Switch physical or software mode keys to “run” position on Rockwell devices to prevent remote project file modification
- Enable multifactor authentication across all OT remote access pathways
- Audit firmware and credentials — update to latest firmware, disable unused services, and eliminate default usernames and passwords
- 外部の境界線をスキャンしてください for exposed industrial protocols — check for open ports 502 (Modbus), 44818 (EtherNet/IP), 102 (S7), and 20000 (DNP3) across your IP ranges
- Review logs against published IOCs — the advisory includes downloadable indicators of compromise in XML and JSON formats
- Monitor dark web channels for threat actor discussions targeting your sector and shared access to industrial systems
The broader picture
This campaign sits within a wider pattern of Iranian cyber escalation. Since the start of the US-Iran-Israel conflict in February 2026, Iranian-affiliated groups have claimed victims including Stryker, local governments, and multiple critical infrastructure operators. Iranian actors are increasingly sharing intelligence and access across affiliated groups, accelerating the threat timeline for any organisation with internet-exposed industrial systems.
The supply chain implications are significant. As one security leader noted in response to the advisory: “If a municipal utility goes down, suppliers, hospitals, and regional partners feel it.” Each successful campaign lowers the barrier for the next one — moving from capability demonstration toward real operational interference.
The CISA advisory explicitly states that organisations across all critical infrastructure sectors should assume they may be targeted and proactively assess their OT environments for exposure before attackers find it first.
How CybelAngel detects this type of exposure
The attack vector in this campaign — internet-exposed industrial control systems with weak authentication — is exactly what CybelAngel’s Attack Surface Management module is designed to surface. Our platform continuously scans for exposed PLCs, HMIs, and industrial gateways across client IP ranges and connected infrastructure, identifying internet-facing systems before threat actors reach them.
私たち 資格情報インテリジェンス module monitors dark web sources and underground forums for compromised credentials and access to industrial systems being traded or advertised by threat actors — including Iranian-affiliated groups that share target intelligence across networks.
When our analysts detect exposed industrial systems or active targeting of a client’s sector, our リアクトチーム provides immediate remediation guidance and coordinates response. The detection gap that allowed these actors to operate undetected for weeks is exactly the window that outside-in monitoring closes.
For more on how state-sponsored groups are targeting industrial infrastructure, read our Aerospace & Defense Cyber Threat Landscape report or see how APT28 used a similar outside-in approach to compromise SOHO routers for credential theft.
- CISA Advisory AA26-097A — Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure
- FBI/CISA Joint Advisory — IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors
- SecurityWeek — Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks
- CyberScoop — Iranian Hackers Targeting US Energy and Water Infrastructure
- The Hacker News — Iran-Linked Hackers Disrupt US Critical Infrastructure
- CSO Online — Iran-Linked PLC Attacks Cause Real-World Disruption
- Dragos 2026 OT/ICS Cybersecurity Report
- CISA Iran Threat Overview and Advisories
著者について
